wwoods: crazy idea: what if we change the repo location? Push out a new fedora-release to the old repo, signed with the old key, that contains the new key, and also updates /etc/yum.repos.d/fedora-updates.repo to point to a new tree, that would only contain packages signed with the new key?

wwoods: sounds good to me. I'm not sure we gain anything by pulling already-released updates anyway, so might as well leave the current repo as-is (with the exception of pushing the new fedora-release)